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About This Guide 


This manual is for Novell® Nsure Identity Manager administrators, SAP developers and 
administrators, and others who implement the Identity Manager Driver 1.0 for User Management 
of SAP Software. 


The guide contains the following sections: 


+ Chapter 1, “Introducing the Identity Manager Driver for User Management of SAP Software,” 
on page 9 


+ Chapter 2, “Installing the Driver,” on page 15 

+ Chapter 3, “Understanding ALE Technologies,” on page 21 

+ Chapter 4, “Configuring the SAP System,” on page 25 

+ Chapter 5, “Using the SAP Java Connector Test Utility,” on page 31 

+ Chapter 6, “Understanding the Default Driver Configuration,” on page 39 
+ Chapter 7, “Troubleshooting the Driver,” on page 47 


Documentation Updates 


For the most recent version of the Identity Manager Driver for User Management of SAP Software 
Implementation Guide, see the Nsure™ Identity Manager 2 Drivers Documentation Web site (http:/ 
/www.novell.com/documentation/lg/dirxmldrivers). 


Documentation Conventions 


The term driver refers to all components of Identity Manager Driver for User Management of SAP 
Software and not to any one particular component. 


In this documentation, a greater-than symbol (>) is sometimes used to separate actions within a 
step and items in a cross-reference path. 


A trademark symbol E TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


User Comments 


We want to hear your comments and suggestions about this guide and the other documentation 
included with the driver. To contact us, send e-mail to proddoc@novell.com. 
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Introducing the Identity Manager Driver for User 
Management of SAP Software 


The Identity Manager Driver 1.0 for User Management of SAP Software, subsequently referred to 
as the driver, creates an automated link between Novell® eDirectory™ and SAP User Management 
systems (BASIS or Web Application Server.) This technology enables data flow within a business 
enterprise based on its own unique requirements, and eliminates the labor-intensive and error- 
prone practice of re-entering the same data into multiple databases. As User object records are 
added, modified, deactivated (disabled), or deleted in SAP or eDirectory, network tasks associated 
with these events can be processed automatically. 


The driver allows administrators to propagate User data between SAP systems and other business 
applications and databases without the need for custom integration solutions. Administrators can 
decide what data will be shared and how data will be presented within their enterprises. 


In this section: 
+ “Understanding Driver Concepts” on page 9 
+ “Understanding Driver Components” on page 13 


+ “New Features” on page 14 


Understanding Driver Concepts 


The driver is a bidirectional synchronization product between SAP R/3 and Enterprise R/3 systems 
and eDirectory. This framework uses XML and XSLT to provide data and event transformation 
capabilities that convert eDirectory data and events into SAP data and vice-versa. 


eDirectory acts as a hub, with other applications and directories publishing their changes to it. 
eDirectory then sends changes to the applications and directories that have subscribed for them. 
This results in two main flows of data: the Publisher channel and the Subscriber channel. 


Publisher Channel 


The SAP system publishes User object information in the form of USERCLONE IDocs using 
Application Link Enabling (ALE) and Central User Administration (CUA) technology. If desired 
and properly configured, the SAP system can propagate all Add, Delete, Lock, Unlock, and 
Modify User event data to eDirectory. The driver consumes the IDoc data and converts it into 
XML format. For more information on how the driver handles [Doc processing, refer to “IDoc 
Consumption by the Driver” on page 11. 


The Publisher channel then submits XML-formatted documents to the DirXML engine for 
publication into eDirectory. Using eDirectory and other drivers, the data can be shared with other 
business applications and directories. These other applications can add additional data, which in 
turn can be transferred back into the SAP User records using the standard SAP Business 
Application Programming Interface (BAPI). 
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Depending on the ALE port configuration you choose, the Publisher channel either polls the SAP 
database for changes via a file port or it receives the data via a TRFC connection. 


The following diagram illustrates the file port configuration. With the file port configuration, the 


entire IDoc is stored on the SAP host system. 


Publisher Channel: File Port Configuration 
Publishing SAP Data to Other Applications 


SAP HOST 


SAP is configured 


to publish to 
the external client DirXML 
via File Port. Remote 


Loader 


USERCLONE IDocs 


IDOCs are posted to | 


The driver adds 
or updates the 
data in eDirectory. 


the host file system LG 
with client number 


references. 


The driver is 
configured to 


poll the IDOC 


The driver filters and 
converts relevant data 
into XML format. 


directory on 
intervals for 
docs pertaining 
to the specific 

client number. 


C:/IDOCS/0_400_n 


The following diagram illustrates the TRFC port configuration. When using the TRFC 
configuration, a minimal “trigger” [Doc is stored on the driver host system. The driver handles the 
parsing of the IDoc data and uses the information to read the current User object. The driver then 
parses the appropriate data fields specified by the driver configuration, and provides secure 
transport of the data to eDirectory. Only data elements specifically selected by the system 


administrator are transported from the SAP host system to eDirectory. 
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Publisher Channel: TRFC Configuration 
Publishing SAP Data to Other Applications 


SAP HOST 


SAP is configured 
to publish to the 
external client 
via TRFC Port. 


USERCLONE IDocs 


DirXML 
Remote 
Loader 


DirXML HOST 


The driver adds 
or updates the 
data in eDirectory. 


| SSL 


connection 


The driver is configured 
to receive IDocs via the 
SAP Gateway. The driver 


The driver filters and 
— converts relevant data 
into XML format. 


can run on the SAP host 
or remotely. 


IDoc Consumption by the Driver 


The driver consumes only Output [Doc files with the client number that is specified by the driver 
configuration, thus ensuring the privacy of other [Docs that might be generated by another driver 
configuration or ALE integration. Only the [Doc attributes that have been specified in the driver 
Publisher filter are published to eDirectory. 

The format of a successfully published IDoc file is: 


<(I)nput or (O)utput>_<client number>_<consecutive IDoc number> 
For example: 
0_300_0000000000001001 


After the IDoc has been processed and specified attributes have been published, the filename of 
the IDoc file is modified to reflect the status of the publication processes. The following table lists 
the IDoc status and corresponding extension: 


IDoc Status 

Processing but not published 
Processed successfully and published 
Processed with an error or warning 


Processed and retained for future-dated 
processing 


Processed with corrupt or illegitimate data 


Filename Extension 


.proc 


.done 


fail or .warn 


futr 


.bad 


You should determine what action is required, if any, after [Doc publication is complete. 


NOTE: Removing the filename extension makes the IDoc available for re-processing. 


Introducing the Identity Manager Driver for User Management of SAP Software 11 


Subscriber Channel 


The Subscriber channel receives XML-formatted eDirectory events from the DirXML engine. The 
driver the converts these documents to an appropriate data format, and updates SAP via the BAPI 
interface. eDirectory sends changes only to the applications that subscribe to receive them. 


Subscriber Channel 
Populating SAP with Data from Other Applications 


SAP HOST 


DirXML 
SAP Basis Remote 
or SAP WAS Loader 


Data the SAP driver 
subscribes to from 
other appplications. 


XML 
DirXML pog 
Driver 


The driver translates XML 

Doc into BAPI (the SAP 
AAA native API) and adds, 
deletes, or modifies the 
data in SAP. The driver 
can run on the SAP host 
or remotely. 


For data to flow from eDirectory to the SAP system, the driver uses the SAP BAPI functions. The 
level of functionality is based upon the R/3 release level. By default, the driver is configured to 
support a SAP 4.6C system using USERCLONEO3 messages. (To determine the level of 
USERCLONE messages available on your SAP system, run transaction WE60 and specify object 
name USERCLONEnn.) As a SAP administrator, you can select which attributes from the 
infotypes can be modified. 


Attribute Mapping from the SAP User Management Database to eDirectory 


Schema mapping is used by Identity Manager to translate data elements as they flow between the 
SAP User Management database and eDirectory. The SAP User object schema is based on the 
SAP USERCLONE message type. The schema map contains all attributes of the various data 
infotypes of the USERCLONE message type. 


Several of the USERCLONE infotypes can be instantiated multiple times on the User records. 
Infotypes such as ADDTEL (Telephone Number) and ACTIVITYGROUPS (Roles) are Table 
fields and can contain multiple values. Other infotypes such as ADDRESS and LOGONDATA are 
Structure fields and are instantiated only once but have multiple fields associated with them. Still 
other fields are simple field types that contain only a single data field element. 


The eDirectory system administrator can configure the driver to receive any of these various data 
fields, and can also configure the driver to handle the data in multiple ways.The Schema Map 
represents the data elements that can be synchronized in the SAP system. 


The map elements have the following format: 


<Segment Infotype Name>:<Infotype Field>// Table/Structure 


or 


<Segment Infotype Name>:<Infotype Field>// Simple data 
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Associations 


Below are a few examples of maps between SAP User attributes and eDirectory attributes. 


eDirectory Attribute SAP User Attribute 

Given Name ADDRESS:FIRSTNAME 
Surname ADDRESS:LASTNAME 
sapRoles ACTIVITYGROUPS:AGR_NAME 
buildingName ADDRESS:BUILDING_P 

floor ADDRESS:FLOOR_P 

Internet EMail Address ADDSMTP:E_MAIL 

OU ADDRESS:DEPARTMENT 
Pager ADDPAG:PAGER 

sapAlias ALIAS:USERALIAS 


The driver can synchronize multiple-instance data (such as TELEPHONE), but it cannot guarantee 
the specification of a primary value. It is also possible to specify only the Table or Structure name 
in a schema mapping. This is useful if only one data field exists in the structure or if you want to 
synchronize all data fields in a Table or Structure to eDirectory. In these instances, the driver uses 
a semicolon (;) delimiter between field data values. 


Associations are created between SAP and eDirectory objects during the synchronization process. 
For the SAP User object, a unique 12-character name (per client) must be created. However, 
eDirectory and other applications do not need to share this same unique ID. Identity Manager 
allows the various naming policies in an organization to be applied to objects by using the 
DirXML-Association attribute. 


The DirXML-Association attribute is multivalued. Therefore, if Identity Manager is being used to 
synchronize an object among multiple applications, all of the object’s unique IDs (or associations) 
can be stored in this attribute on the eDirectory object. 


The unique ID association links objects in SAP to their objects in eDirectory. When an Add or 
Matching event occurs, the association is made. This association allows the driver to perform 
subsequent tasks on the appropriate object. 


The DirXML-Associations field is stored on the eDirectory object on the DirXML property page. 


Understanding Driver Components 


This sections contains information about the following driver components. 
+ “Driver Configurations” on page 14 
+ “Driver Shim” on page 14 


+ “SAP User Java Connector Test Utility” on page 14 
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Driver Configurations 


Driver Shim 


After you install Nsure™ Identity Manager 2 and the driver, you create one or more Driver objects. 
Each Driver object represents an instance of the Identity Manager Driver for User Management of 
SAP Software. The driver configuration file gets you up and running with a minimum of 
customization by letting you create a Driver object with preconfigured policies, filters, and driver 
parameters. 


The driver configuration file is named SAPUser.xml. 


The driver shim, sometimes referred to as the connector, handles communication between the SAP 
User database and the DirXML engine. 


SAP User Java Connector Test Utility 


In order to use the driver, you must download the SAP JCO and install it. The SAP User Java* 
Connector (JCO) Test utility enables you to check for JCO installation and configuration issues 
prior to configuring the driver. You can use the JCO test utility to validate correct installation of 
the JCO client and configuration issues prior to configuring the driver. 


You can use the JCO test utility to validate correct installation of the JCO client and connectivity 
to the SAP host system, as well as testing for accessibility of the User Management BAPIs used 
by the driver. For more information, refer to Chapter 5, “Using the SAP Java Connector Test 
Utility,” on page 31. 


New Features 


For more information about the new features of Identity Manager 2, refer to the Nsure Identity 
Manager 2 Administration Guide (http://www.novell.com/documentation/lg/dirxm120/admin/ 
data/alxnk27.html). 
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Installing the Driver 


As part of the driver installation and configuration, you should complete the following tasks: 
¢ “Planning for Installation” on page 15 
+ “Configuration Information” on page 16 
+ “Installing the Driver” on page 16 
+ “Extending the Schema” on page 19 


+ “Activating the Driver” on page 19 


These tasks are explained in detail in this section. After you finish installing the driver, proceed to 
Chapter 3, “Understanding ALE Technologies,” on page 21 to learn more about the SAP system 
configuration requirements. 


Driver Prerequisites 
The driver requires the following prerequisites. Ensure that you meet these criteria before you 
install the driver. 
O Novell® Nsure™ Identity Manager 2. 


QO) The host system where the driver shim is running must have the SAP Java Connector (JCO) 
client technology version 1.1x or 2.x installed to provide connectivity to the SAP system. 


This client is freely available to SAP customers and developer partners through SAP, and is 
provided for most popular server operating systems. You can download the JCO from the SAP 
Connectors site (http://service.sap.com/connectors). 


NOTE: Because the driver can be configured to use a Remote Loader interface for both the Publisher 
and Subscriber Channels, there is no requirement to install the driver on the SAP host system or the 
eDirectory host system. 


A JDK*/JRE 1.3.1 or later. 
U SAP Server revision level 4.5B or later. 


The driver operates with any SAP R/3 or Enterprise R/3 host system. 


Planning for Installation 


Before you install and use the driver, you should determine which kind of installation you want to 
use: local or remote. 


When to Use a Local Installation 


A local installation installs the driver on the same host computer where you have Identity Manager 
installed. 
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When to Use a Remote Installation 


A remote installation installs the driver on a different computer than the one where Identity 
Manager and eDirectory™ are installed, or it allows the driver to run in its own process space on 
the same computer. Remote installations can use SSL encryption to ensure data privacy between 
the driver and the DirXML® engine. You should use this configuration when it is not possible or 
desirable to run the driver on the same host with eDirectory and Identity Manager. 
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Configuration 


Parameter Name 
Driver name 


User Object 
Container 


SAP Application 
Server 


SAP User ID 


SAP User Password 


Publisher Channel 
Port Type 


SAP System 
Number 


SAP Client Number 


SAP Session 
Language Code 
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You install the driver as part of the Novell Nsure Identity Manager 2 installation program. For 
installation instructions, refer to the Novell Nsure Identity Manager 2 Administration Guide (http:/ 
/www.novell.com/documentation/lg/dirxm120/index.html). 


This section explains how to import the driver configuration for the Identity Manager Driver for 
User Management of SAP Software. After you have imported the configuration, you can use 
iManager to configure and manage the driver. 


In this section, you will find information for: 
+ “Configuration Information” on page 16 
+ “Importing the Driver Configuration” on page 18 


+ “Activating the Driver” on page 19 


Information 


As you import the driver configuration file, you will be prompted for the following information. 


Parameter Description 
The actual name you want to use for the driver. 


The name of the eDirectory Organizational Unit object where Users from the SAP system will be placed. 


The host name or IP address for connecting to the appropriate SAP application server. This is referred 
to as the “Application Server” in the SAP logon properties. 


The ID of the user this driver will use for the SAP system logon. This is referred to as the “User” in the 
SAP logon screen. 


The User password this driver will use for the SAP system logon. This is referred to as the “Password” 
in the SAP logon screen. 


Set to TRFC if the driver will instantiate a JCO Server to receive data distribution broadcasts from the 
SAP ALE system. Set to FILE if the driver will consume text file IDocs distributed by the SAP ALE 
system. Any other value will disable the Publisher channel functionality. 


The SAP system number on the SAP application server. This is referred to as the “System Number” in 
the SAP logon properties. 


The client number to be used on the SAP application server. This is referred to as the “Client” in the SAP 
logon screen. 


The language code this driver will use for the SAP session. This is referred to as the “Language” in the 
SAP logon screen. 
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Parameter Name 


Character Set 
Encoding 


Publish all 
Communication 
Table Values 


Publish Company 
Address Data 


Require User to 
Change Set 
Passwords 


Communication 
Table Comments 


SAP Gateway ID 


TRFC Program ID 


Publisher IDoc File 
Directory 


Configure Data Flow 


Install Driver as 
Remote/Local 


Remote Host Name 
and Port 


Driver Password 


Remote Password 


Parameter Description 


The code for the character set to translate IDoc byte-string data into Unicode* strings. An empty value 
causes the driver to use the host JVM default. 


Set to 0 if only the primary value of Communication tables should be synchronized. Set to 1 if all values 
should be synchronized. 


By default, an SAP User record does not include Company Address information. That data is kept in a 
related table. Use this parameter to specify ifyou want the driver to retrieve the data from the appropriate 
company record. Regardless of the option you specify, Company Address information cannot be 
updated in SAP. 


Set to 1 to populate User Company Address information for the Publisher channel and for Subscriber 
channel queries. 


Set to 0 if you do not want this functionality. 


The Subscriber channel can be configured to handle a User password set operation in two methods. 
Enter 1 if passwords must be changed immediately by Users at their next login, or enter 0 if you do not 
want this functionality. 


The communication table comment is a text comment the driver adds to all Communication table entries 
added by the Subscriber Channel. This is a useful method for determining where an entry originated 
from when viewing values via the SAP GUI. Leaving this field blank provides no comments to the table 
entries. 


If the Publisher channel port type is TRFC, this parameter specifies the gateway that distributes User 
data to the driver. If you are not using TRFC, this parameter is ignored. 


If the Publisher channel port type is TRFC, this parameter identifies the JCO server program in the driver 
for the SAP gateway. If you are not using TRFC, this parameter is ignored. Note that the program ID is 
a case-sensitive text identifier. 


The file system location where the SAP User IDoc files are placed by the SAP ALE system (FILE port 
configuration) or by the driver (TRFC configuration.) 


Data flow can be configured to one of the following options: 


¢ Bidirectional: SAP HR and eDirectory are both authoritative sources of the data synchronized 
between them. 


+ SAP-to-eDirectory: SAP is the authoritative source. 


+ eDirectory-to-SAP: eDirectory is the authoritative source. 


Configure the driver for use with the Remote Loader service by selecting the Remote option, or select 
Local to configure the driver for local use. If Local is selected, you can skip the remaining parameters. 


Specify the host name or IP address and port number for where the Remote Loader service has been 
installed and is running for this driver. The default port is 8090. 


The driver object password is used by the Remote Loader to authenticate itself to the Identity Manager 
server. It must be the same password that is specified as the driver object password on the Remote 
Loader. 


The Remote Loader password is used to control access to the Remote Loader instance. It must be the 


same password that is specified as the Remote Loader password on the Identity Manager Remote 
Loader. 
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The following additional driver parameters are set to default values during the import process, but 
they can be modified in iManager (by clicking the Driver Configuration tab on the driver object.) 


Parameter name Parameter Description 
Poll Interval Specifies how often the Publisher channel polls for unprocessed IDocs. The default value is 10 
(seconds) seconds. 


Future-dated Event The behavior of this option is based on the values of the User record’s Logon Data “Valid From” date 
Handling Option (LOGONDATA:GLTGV) when IDocs are processed by the Publisher Channel. This field does not need 


to be in the Publisher filter for this processing to occur. 


There are four possible values for this parameter: 


0 - Indicates that all attributes are processed by the driver when the IDoc is available. No future-dated 
processing is performed. 


1 - Indicates that only attributes that have a current or past time stamp are processed by the driver when 
the IDoc is available. Future-dated infotype attributes are cached in a “.futr” file to be processed at a 
future date. 


2 - Indicates that the driver blends options 1 and 2. All attributes are processed, with a time stamp, at 
the time the IDoc is available. All future-dated infotype attributes are cached in a “.futr” file to be 
processed at a future date. 


3 - Indicates that the driver processes all events at the time the IDoc is made available. All future-dated 
infotype attributes are cached in a “.futr.” file to be processed again on the next calendar day. This 
continues until the attributes are sent for a final time on the future date. 


Ifa TRFC port is configured for use by the Publisher channel, this option allows the driver to turn on the 
SAP JCO tracing capability. Enter 0 if you do not desire this functionality. Enter 1 to activate it. Trace 
files are generated in either the DirXML or Remote Loader root directory and are identified by a “.trc' 
extension. The default value is 0. 


Generate TRFC If a TRFC port is configured for use by the Publisher channel, this option allows the driver to turn on the 
Trace Files SAP JCO tracing capability. Enter 0 if you do not desire this functionality. Enter 1 to activate it. Trace 


files are generated in either the DirXML or Remote Loader root directory and are identified by a ‘.trc’ 
extension. The default value is 0. 


Importing the Driver Configuration 
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The Create Driver Wizard helps you import the basic driver configuration file. This file creates 
and configures the objects and policies needed to make the driver work properly. 


The following instructions explain how to create the driver and import the driver’s configuration. 
41 In Novell iManager, click DirXML Utilities > Create Driver. 
2 Select a driver set. 


If you place this driver in a new driver set, you must specify a driver set name, context, and 
associated server. 


3 Select Import a Driver Configuration from the Server, then select SAPUser.xml. 


The driver configuration files are installed on the Web server when you install Identity 
Manager. During the import, you are prompted for the driver’s parameters and other 
information. Refer to “Configuration Information” on page 16 for more information. 


4 Specify the driver’s parameters, then click OK to import the driver. 
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When the import is finished, you can define security equivalences and exclude administrative 
roles from replication. 


The driver object must be granted sufficient eDirectory rights to any object it reads or writes. 
You can do this by granting Security Equivalence to the driver object. The driver must have 
Read/Write access to users, post offices, resources, and distribution lists, and Create, Read, 
and Write rights to the post office container. Normally, the driver should be given security 
equal to Admin. 


5 Review the driver objects in the Summary screen, then click Finish. 


Extending the Schema 


If you want to use the default configuration, you need to extend the eDirectory schema. This 
provides greater abilities to administrate the User Management functions of SAP R/3 and 
Enterprise R/3 systems. We recommend applying a set of schema extensions to the eDirectory tree 
that will synchronize with the SAP system. 


During SAP’s development of their own LDAP-based User Administration utilities, a standard set 
of schema extensions was developed for use with Novell eDirectory. These extensions are 
contained in the R3-Novell-Ldif-Schema-extension.|dif file. This file is designed to be applied to 
eDirectory by using the Novell Import Conversion Export (ICE) utility. 


In addition to the ldif-format schema extension file, the schema extensions are also available in the 
sapuser.sch file (the eDirectory standard). 


If you want to extend the schema using the LDIF file, the following instructions help you use the 
ICE utility. For additional information, refer to the Import Conversion Export utility 
documentation (http://www.novell.com/documentation). 


1 Open the NDS Import/Export Wizard. 
2 Select Import LDIF File, then click Next. 
3 Browse to R3-Novell-Ldif-Schema-extension.|dif, then click Next. 


4 Fill in the appropriate LDAP connection information for the Novell LDAP service, then click 
Next. 


5 Click Finish to begin the extension process. 


Activating the Driver 
Activation must be completed within 90 days of installation or the driver will not run. 


For activation information, refer to “Activating Novell Identity Manager Products” in the Novell 
Nsure Identity Manager 2 Administration Guide. 
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Understanding ALE Technologies 


This section explains how Application Link Enabling (ALE) technology enables communication 
between Identity Manager and SAP systems. 


Application Link Enabling Technology 


Application Link Enabling (ALE) technology enables communication between SAP and external 
systems such as Novell® eDirectory™. ALE is comprised of various components. If you want to 
distribute User modification data automatically from the SAP system to eDirectory, you must 
configure the ALE and CUA systems. If your integration requires only reading and writing data to 
the SAP system, this configuration is not necessary. 


When configuring the SAP system to enable the driver, you should consider the following ALE 
components and their relationship to the driver: 


+ “Clients and Logical Systems” on page 21 
+ “Message Type” on page 22 

+ “IDoc Type” on page 22 

¢ “Distribution Model” on page 22 

+ “Partner Profiles” on page 22 

+ “Port” on page 22 

¢ “Port Definition” on page 22 

+ “File Port” on page 23 

+ “CUA” on page 23 


Refer to “Configuring the SAP System” on page 25 for instructions on how to configure these SAP 
system parameters. 


Clients and Logical Systems 


In the SAP configuration for the driver, a logical system is a representation of either a SAP system 
or an external system. The logical system is used to distribute data to and from SAP. To use ALE, 
every SAP system needs to have a base logical system associated with a client. There is a one-to- 
one relationship between the client and the logical system. 


The driver uses an outbound ALE interface. In an outbound ALE interface, the base logical system 
becomes the sender for outbound messages and the receiver of inbound messages. A SAP user is 
likely logged into the base logical system/client when making changes to the database (for 
example, modifying User profiles or logon preferences). A logical system/client must also be 
defined for the receiving client. This logical system acts as the receiver of outbound messages. 
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Message Type 


IDoc Type 


A message type represents the type of data that is exchanged between the two systems. For this 
driver, the USERCLONE message type is used. A message type characterizes data being sent 
across the systems and relates to the structure of the data, also known as an IDoc type (for example, 
USERCLONE03). 


Intermediate Document (IDoc) Type represents the structure of the data associated with a message 
type. ALE technology uses IDocs to exchange data between logical systems. An [Doc is an object 
with the data of a specific message type in it. [Docs consist of three record types: 


1. The control record 
2. The data record 
3. The status record 


The control record contains information about the IDoc, such as what IDoc type it is, the message 
type, the sending and receiving systems, or the direction. 


The data record contains the application data. Data records consist of several fields that describe 
the content of the specific object. 


The status record contains data on the state of the processing of the IDoc. 


Distribution Model 


The distribution model is a tool that stores information about the flow of message types between 
systems. A distribution model must be configured when setting up the driver. After the two logical 
systems have been defined and you have a general understanding of message types and IDocs, you 
can configure your distribution model. 


The distribution model determines what message types can be sent from a logical system to 
another logical system. 


Partner Profiles 


Port 


Port Definition 


Partner profiles specify the components used in an outbound process. Some of these components 
include the IDoc type, message type, [Doc size, mode, and the person to be notified in case of 
errors. 


A port is the communication link between the two logical systems. 


A port definition is used in an outbound process to define how documents are transferred to the 
destination system. 
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File Port 


A file port can be used in the integration solution. [Docs are transferred to a file in a specified file 
system location accessible by the SAP host system. 


TRFC Port 


A Transactional Remote Function Call (TRFC) can be used in the integration solution. [Docs are 
transferred to a specified application process (such as the driver) via the SAP Gateway. 


CUA 


Central User Administration (CUA) is a process provided by SAP to distribute and manage User 
object data between a Central SAP logical system and one or more Client logical systems. The 
client logical systems might be SAP or external systems. The base technology used for the CUA 
is ALE. 
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Configuring the SAP System 


You must configure the SAP system parameters to enable Application Link Enabling (ALE) and 
Central User Administration (CUA) processing of USERCLONE IDocs if you want to publish 
real-time changes of SAP User data to eDirectory. Novell® follows SAP’s general guidelines for 
configuring BAPI (Business Application and Programming Interface) and ALE technologies for 
this integration solution. 


Configuring the SAP System 


As part of configuring the SAP system, you should complete the following steps in this order: 


Re 


. “Defining Sending and Receiving Systems” on page 25 
“Creating a Logical System” on page 26 

“Assigning a Client to the Logical System” on page 26 
“Creating a Distribution Model” on page 26 

“Creating a Port Definition” on page 27 

“Partner Profiles” on page 28 

“Modify Port Definition” on page 28 


2 AO A YS e 


“Activating Central User Administration” on page 29 
9. “Set Field Distribution Parameters” on page 29 
10. “Create a Communication (CPIC) User” on page 30 


NOTE: The following instructions are for SAP version 4.6C. If you are using a previous version of SAP, the 
configuration process is the same; however, the SAP interface will be different. 


Defining Sending and Receiving Systems 


The sending and receiving systems must be defined for messaging. In order to distribute data 
between systems you must first define both the sending and receiving systems as unique logical 
systems. 


For this particular solution, we recommend defining two logical systems. One logical system 
represents the driver and acts as the receiver system. The other logical system represents the SAP 
system and acts as the sender system. Because only one of these clients is used as a data source 
(that is, the client/logical system where SAP User data is stored and “actions” occur), there is no 
need to assign a client to the receiving logical system. 


NOTE: Depending on your current SAP environment, you might not need to create a logical system. You might 
only need to modify an existing Distribution Model by adding the USERCLONE message type to a previously 
configured Model View. For more information, see “Creating a Distribution Model” on page 26. 


It is important, however, that you follow SAP’s recommendations for logical systems and configuring your ALE 
network. The following instructions assume that you are creating new logical systems and a new model view. 
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Creating a Logical System 
1 In SAP, type transaction code BD54. 
2 Click New Entries. 


3 Type an easily identifiable name to represent the SAP sender system. SAP recommends the 
following format for logical systems representing R/3 clients: systemIDCLNT client number 
(such as ADMCLNT100). 


4 Type a description for the logical system (such as Central System for SAP User Distribution). 


5 Addasecond logical system name to represent the DirXML external receiver system (such as 
DIRXMLDRV). 


6 Type a description for the logical system (such as DirXML User Management Integration). 


7 Save your entries. 


Assigning a Client to the Logical System 

41 In SAP, type transaction code SCC4. 
Click Table View > Display > Change to switch from display to change mode. 
Select the client from which you want User information distributed (such as 100). 


Click Goto > Details > Client Details. 


a A WO N 


In the Logical System field, browse to the sender logical system you want to assign to this 
client (such as ADMCLNT100). 


6 Save your entry. 


Creating a Distribution Model 


The distribution model contains essential information about message flow. The model view 
defines the systems that will communicate with each other and the messages that will flow between 
them. The distribution model forms the basis of distribution and controls it directly. 


To create a distribution model: 
1 Verify that you are logged on to the sending system/client. 


2 In SAP, type transaction code BD64. Ensure that you are in Change mode (click Table View 
> Display > Change.) 


3 Click Edit > Model View > Create. 


4 Type the short text to describe the distribution model (such as Client 100 Distribution to 
DirXML). 


5 Type the technical name for the model (such as SAP2DIRXML). 


6 Accept the default Start and End dates or specify valid values. Click the check mark icon to 
save your entry. 


7 Select the view you created, then click Add BAPI. 


8 In the Sender/Client field, type the name of the sender logical system (such as 
ADMCLNT100). 


9 In the Receiver/Client field, add the name of the receiver logical system (such as 
DIRXMLDRV). 
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10 


11 
12 
13 
14 
15 
16 
17 
18 
19 
20 


In the Obj. Name/Interface field, add the USER object name. 
NOTE: Ensure that you add the USER object name with all capital letters. 
In the Method field, add Clone. 

Click the check mark icon to save the BAPI. 

Select the SAP2DIRXML model view. 

Click Add BAPI. 

Define the sender (logical system ADMCLNT 100). 

Define the receiver (logical system DIRXMLDRV). 


In the Obj. Name/Interface field, add the UserCompany object name. 


In the Method field, add Clone. 
Click the check mark icon to save your BAPI entries. 


Save the Distribution Model entries. 


Creating a Port Definition 


The port is the communication channel to which IDocs are sent. The port describes the technical 
link between the sending and receiving systems. 


The driver can be configured to support a connection via a TRFC port or to consume IDocs 


distributed via a File port. The default driver configuration assumes that you use the TRFC port 
configuration. 


TREC Port Definition 


Prior to creating a TRFC port definition, you must create an RFC destination. To create an RFC 
destination: 


1 
2 


In SAP, type transaction code SM59. 
Click the Create icon. 


3 Name the RFC destinations (such as DIRXML USER DRIVER). 


4 


5 Add a description for the destination (such as JCO Server in DirXML User Driver.) 


6 


Select T as the connection type (for a TCP/IP connection.) 


Save your entry. 


7 Select the option for Registration or Registered Server Program. Type the program ID that will 


The TRFC port is used to determine the RFC program to which IDocs are sent. 


Save your entry. 


4 In SAP, type transaction code WE21. 


2 
3 


Select Transactional RFC, then click the Create icon. 
Select Own Port Option Name. 
3a Type a port name (such as DIRXMLPORT). 


3b Type a description for the port definition (such as Port to DirXML User Driver). 
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be used for the driver. In the default driver configuration, this value is set to DirXMLUser. 
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3c Select a version (such as [Doc record types SAP release 4.X) 


3d Enter the RFC destination. This is the name of the RFC destination representing the 
driver (such as DIRXML USER DRIVER.) 


4 Save your entries. 


File Port Definition 
1 In SAP, type transaction code WE21. 
2 Select File, then click the Create icon. 
2a Type a port name (such as DIRXMLFILE). 
2b Type a port description (such as File Port to DIRXML User Driver). 
2c Select a version (such as SAP release 4.X). 
3 Define the outbound file: 


3a Select the physical directory. This is the directory where you want IDocs placed. You 
might need to create this directory. 


Type the directory where the outbound files are written, for example: 
\\sapdev\nov\sys\global\sapndsconnector. 


3b Type the function module. This names the IDoc file in a specific format. For example: 
edi_path_create_client_docnum. 


4 Save your changes. 


NOTE: You do not need to configure the other three tabs for the port properties (outbound:trigger, 
inbound file, and status file). 


Partner Profiles 


The system automatically generates a partner profile or you can manually maintain the profile. 


NOTE: If you are using an existing distribution model and partner profile, you do not need to automatically 
generate a partner profile. Instead, you can modify it to include the USERCLONE BAPI. 


1 In SAP, type transaction code BD82. 


2 Select the Model View. This should be the Model View previously created in “Creating a 
Distribution Model” on page 26. 


3 Ensure that the Transfer IDoc Immediately and Trigger Immediately option buttons are 
selected. 


4 Click the Execute icon. 
NOTE: Ignore any red error or warning messages when the status screen appears. These issues will be 


resolved when you modify the port definition in the next section. 


Modify Port Definition 


When you generated a partner profile, the port definition might have been entered incorrectly. For 
your system to work properly, you need to modify the port definition. 


1 In SAP, type transaction code WE20. 
2 Select Partner Type LS. 
3 Select your receiver partner profile (such as DIRXMLDRV). 
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4 Click the Create Outbound Parameter icon, then select message type USERCLONE. 


5 Modify the receiver port so it is the file or TRFC port name you created earlier (such as 
DIRXMLPORT or DIRXMLFILE). 


6 Under Output Mode, select Transfer [Doc Immediately to send IDocs immediately after they 
are created. 


7 In the IDoc Type section, select the Basic type and the appropriate USERCLONE: 
+ For SAP 4.5, select USERCLONEO1 
+ For SAP 4.6a, select USERCLONE02 
+ For SAP 4.6c, select USERCLONEO3 
+ For SAP 6.10 or greater, select USERCLONE04 
8 Save your entries. 
9 Click the Create Outbound Parameter icon, then select message type CCLONE. 


10 Modify the receiver port so it is the file or TRFC port name you created earlier (such as 
DIRXMLPORT or DIRXMLFILE.) 


11 Under Output Mode, select Transfer [Doc Immediately to send [Docs immediately after they 
are created. 


12 In the IDoc type section, select Basic type and the appropriate CCLONE. (For all SAP 
versions, select CCLONE01.) 


13 Save your entries. 


Activating Central User Administration 


Central User Administration (CUA) is the process that activates the distribution model. 
1 In SAP, type transaction code SCUA. 


2 Inthe Maintain System Landscape dialog box, select the distribution Model View previously 
created (such as SAP2DIRXML). 


3 Save your entry. 


You will see a message stating “Unable to distribute the system landscape to system 
DIRXMLDRV.” This is an informative message and is not an error or issue of concern. 


Set Field Distribution Parameters 


By default, all data fields of the User object will be configured for global control. This means that 
changes can only be made on the central system (the sender client) and distributed to child 
systems. This is acceptable unless you want to distribute Roles and Profiles information to the 
driver. If you want this distribution, you must modify the field distribution parameters. 


1 In SAP, type transaction code SCUM. 

2 Click the Roles tab. 

3 Select the Local option for the Role Assignment and Reference User fields. 
4 Click the Profiles tab. 

5 Select the Local option for the Auth Profiles file. 
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6 Save your entries. 


Once again, you will receive the “Unable to distribute . . .” message. This is not an error or 
issue of concern. 


Create a Communication (CPIC) User 
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Users are client-independent. For each client that will be using the driver, a system user with CPIC 
access must be created. 


1 In SAP, type transaction code SUO1. 


2 From User Maintenance, enter a username in the User dialog box (such as DIRXML_CPIC), 
then click the Create icon. 


3 Click the Address tab, then type data in the last name fields (Last_DirXML). 


4 Click the Logon Data tab, then define the initial password and set the user type to CPIC 
(Communication). 


5 Click the Profiles tab, then add the sample values of SAP_ALL, SAP_ NEW and S_A.CPIC 
profiles. You can use other profiles. 


6 Click the Systems tab. Add the logical name of the sender system (such as ADMCLNT100). 
This enables the CPIC user to authenticate to the client system. 


7 Click Save. 


NOTE: Initially, you can create a dialog user to test your SAP system configuration. If there are processing 
problems, you can analyze the dialog user in the debugger. You should also log into the SAP system once to 
set this user’s password. After the system is tested and works properly, you should switch to a CPIC user for 
security measures. 
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Using the SAP Java Connector Test Utility 


The driver uses the SAP Java Connector (JCO) and Business Application Programming Interface 
(BAPI) technologies to connect to and integrate data with Novell® eDirectory™. The SAP JCO is 
a SAP client that creates service connections to a SAP R/3 system. After the driver is connected 
to the R/3 system, it calls methods on business objects within the R/3 system via BAPI. 


The SAP Java Connector Test utility enables you to check for JCO installation and configuration 
issues prior to configuring the driver. Use the JCO Test utility to validate installation and 
connectivity to the SAP JCO client, as well as testing for accessibility to the BAPIs used by the 
driver. 


Ensure that you are using JDK/JRE version 1.3.1 or later. 
The following instructions apply to JCO versions 1.1.x and 2.x. 
In this section: 

+ “About the Utility” on page 31 

+ “Running and Evaluating the Test” on page 32 

+ “Understanding Test Error Messages” on page 34 


About the Utility 


The JCO Test utility completes the following checks: 


+ Ensures that the jco.jar or sapjco.jar file, which contains the exported JCO interface, is 
present. 


+ Ensures that the JCO native support libraries are properly installed. 

+ Ensures that connection parameters to the SAP target system are correct. 

+ Ensures that the authentication parameters to the SAP target system are correct. 
+ Ensures that the selected language code is valid. 


+ Ensures that the BAPIs used by the driver are present as expected for the version of the SAP 
target system. 


Utility Prerequisites 


Before you run the JCO Test utility, you must install the SAP JCO client for the desired platform. 

The JCO can only be obtained from the SAP Service Marketplace Web site (http://www.sap-ag.de/ 
services). The download is free to any SAP software customer or development partner, but you are 

required to log in. 


Using the SAP Java Connector Test Utility 31 


Components 


In order to configure the driver, you must first download the SAP JCO and install it. For 
installation instructions, refer to the documentation accompanying the SAP JCO. 


Follow the installation instructions for your platform. Each installation requires you to set one or 
two environment variables, such as CLASSPATH for the jco.jar or sapjco.jar file location. For the 
UNIX* platforms, set either the LD LIBRARY PATH or LIBPATH variables for the location of 
native support libraries. Ensure that these variables are set in the shell environment to run this test 
and for the subsequent use of the Identity Manager Driver for User Management of SAP Software. 


You must also make sure that you have your PATH environment variable set to include the path 
to your Java executable file. For Win32 platforms, the environment variables are set via the System 
configuration in the Control Panel. On UNIX systems, edit the appropriate .profile or .bash_profile 
to include and export these path variables. 


The JCO Test utility consists of the UserJCOTest.class file. The format of an execution batch or 
script file varies, depending on the platform on which the JCO client has been installed. 


The basic content of the file includes a path to the Java executable (or just java if your PATH is 
appropriately configured), and the name of the UserJCOTest.class file. A sample UNIX script file 
and Win32 batch file are listed below, where jco.jar or sapjco.jar is in the executable directory of 
the UserJCOTest.class file and the batch file: 


Win32 jcotest.bat file 
java -classpath SCLASSPATHS;. UserJCOTest 


Unix jcotest file 
java UserJCOTest 


You must use proper slash notation when specifying pathnames, and you must use the proper 
classpath delimiter for the platform. You must also remember that the name of the jco.jar or 
sapjco.jar file is case-sensitive on UNIX platforms and that the name of the test class, 
UserJCOTest, must be specified with proper case for any platform. 


Running and Evaluating the Test 


Running the Test 


To run the JCO Test utility on a Win32 platform: 


4 From Windows Explorer, double-click UserJCOTEST.BAT. 
or 
From a command prompt, run the UserJCOTEST.BAT script. 


To run the JCO Test utility on a UNIX platform: 


1 From your preferred shell, run the userjcotest script file. 


NOTE: It is possible that when you run the test program, an error message appears before any test output is 
displayed. This indicates an improper installation of the JCO client components. The error messages are 
documented for each platform in “Understanding Test Error Messages” on page 34. 


Evaluating the Test 
If the JCO client is installed properly, the following output is displayed: 
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**The SAP JCO client installation has been verified to be correct. 


Version of the JCO-library: version information 


Input SAP Server Connection Information 


You then receive a series of prompts for connection and authentication information. All data must 
be provided unless a default value, identified by [] delimiters, is provided. Failure to fill in a 
response value to each prompt ends the test. Enter the following when prompted: 


+ Application server name or IP address 


+ System number [00] 


+ 


Client number 

+ User 

+ User password 

+ Language code [EN] 


The values you provide are the same values that could be used to authenticate via the SAPGUI 
client. Based on the validity of the input, the test either displays error messages with solution 
suggestions or runs to completion. At the end of the test, a status message displays. If the test 
indicates full functionality as required by the driver, the following status message appears (1t 
describes valid values that can be used as the configuration parameters for the driver): 


**A11 expected platform support is verified correct. 


JCO Test Summary 


Full JCO/BAPI Functionality has been verified. 
The following parameters may be used for driver configuration 


Authentication ID: Username 
Authentication Context: SAP Host Name/IP Address 
Application Password: User password 


SAP System Number: System Number 


SAP User Client Number: Client Number 
SAP User Language: Language Code 


If the test indicates that the functionality required by the driver is not available, the following status 
message is displayed: 
**There are <number> required BAPI functions NOT supported on this platform. 


JCO Test Summary 


JCO/BAPI functionality issues have been detected that will prevent proper 
driver functionality. 


Post-Test Procedures 


After the JCO Test utility has successfully passed all tests, you can then begin to configure the 
driver. Make sure that the jco.jar or sapjco.jar file is copied to the location where the 
sapusershim.jar file has been installed. 
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On UNIX systems, ensure that the environment variables used for the successful completion of the 
User JCO Test are also in the environment of the driver. If these conditions are met, there should 
be no driver errors that are related to the JCO. 


Understanding Test Error Messages 


Use the information in this section to analyze error messages that might display during the User 
JCO Test. Some errors are applicable to all platforms, and other errors are platform-specific. 


The test has been run on the platforms listed below. Other UNIX platforms supported by the JCO 
are configured in a similar manner and errors generated by improper JCO installation and 
configuration should be similar to the errors described below. Because of periodic modifications 
of the JCO, messages might not be exactly as shown. 


+ “General Errors” on page 34 


+ “Errors on Win32 Systems” on page 34 


+ “Errors on IBM-AIX Systems” on page 35 


+ “Errors on Solaris Systems” on page 36 


+ “Errors on HP-UX Systems” on page 36 


General Errors 


Error Message 


Error connecting to SAP host: 
com.sap.mw.jco.JCO$Exception: (102) 


RFC_ERROR_COMMUNICATION: Connect to SAP gateway 
failed 


Check values of Application Server Name/IP Address and 
System Number 


Problem 


This indicates that one or both of the values entered for the 
Application Server Name or IP Address and System Number 
are incorrect. 


Verify that these values are consistent with the information 
found in the Properties page of the SAP Logon dialog box used 
to connect to the SAP R/3 system. 


Error authenticating to SAP host: 
com.sap.mw.jco.JCO$Exception: (103) 


RFC_ERROR_LOGON_ FAILURE: You are not authorized to 
logon to the target system (error code 1). 


The authentication credentials are not valid. Verify that the 
values for Client Number, User, and User Password are 
correct. 


Error connecting to SAP host: 
com.sap.mw.jco.JCO$Exception: (101) 
RFC_ERROR_PROGRAM: Language '<value>' not available 


Check value of Language Code 


Errors on Win32 Systems 


Error Message 


'userjcotest' is not recognized as an internal or external 
command, operable program, or batch file. 
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The language code selected is not valid or is not installed on 
the SAP R/3 system. 


Problem 


The userjcotest.bat batch file is not present. 
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Error Message 


Exception in thread “main” java.lang.NoClassDefFoundError: 
com/sap/mw/jco/JCO$AbapException 


or 


Exception in thread “main” java.lang.NoClassDefFoundError: 
com/sap/mw/jco/JCO$Exception 


Problem 


The jco.jar or sapjco.jar file is not in the location specified in the 
userjcotest.bat batch file. 


Exception while initializing JCO client. 
java.lang.UnsatisfiedLinkError: no ¡RFC12 in java.library.path 


Verify proper installation of JCO Native support libraries 
packaged with JCO client. 


The ¡RFC 12.dll file that shipped with the JCO client is not 
installed or is installed in an incorrect location. The default 
location for ¡RFC 12.dll and libRfc32.dll is Awinnt/system32. 


Exception while initializing JCO client. 


java.lang.UnsatisfiedLinkError: 
CAWINN Tisystem32!rfc12.dll: Can't find dependent libraries 


Verify proper installation of JCO Native support libraries 
packaged with JCO client. 


Errors on IBM-AIX Systems 


Error Message 


ksh: userjcotest: not found. 


The librfc32.dll file shipped with the JCO client is not installed 
or is installed in an incorrect location. The default location for 
jJRFC12.dll and libRfc32.dll is Awinnt/system32. 


Problem 


The userjcotest script file is not present in the directory. 


Exception in thread “main” java.lang.NoClassDefFoundError: 
com/sap/mw/jco/JCO$AbapException 


or 


Exception in thread “main” java.lang.NoClassDefFoundError: 
com/sap/mw/jco/JCO$Exception 


The jco.jar or sapjco.jar file is not in the location specified in the 
jcotest script file or the case specified for jco.jar or sapjco.jar 
does not match the actual filename. 


Exception while initializing JCO client. 


java.lang.UnsatisfiedLinkError: no ¡RFC12 (libjRFC12.a or 
-SO) in java.library.path 


Verify proper installation of JCO Native support libraries 
packaged with JCO client. 


The libjJRFC12.so file that shipped with the JCO client is not 
installed or is installed in an incorrect location. You must 
configure a LIBPATH environment variable to specify the 
location in which the file resides. 


Exception while initializing JCO client. 


java.lang.UnsatisfiedLinkError: <path>/libjRFC12.so: A file or 
directory in the path name does not exist. 


Verify proper installation of JCO Native support libraries 
packaged with JCO client. 


The librfccm.o file shipped with the JCO client is not installed or 
is installed in an incorrect location. You must copy the file to the 
same location as libjJRFC12.so or configure the LIBPATH 
environment variable to specify the location in which the file 
resides. 
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Errors on Solaris Systems 


Error Message 
ksh: userjcotest: not found. 
or 


bash: userjcotest: command not found 


Problem 


The userjcotest script file is not present in the directory. 


Exception in thread “main” java.lang.NoClassDefFoundError: 
com/sap/mw/jco/JCO$AbapException 


or 


Exception in thread “main” java.lang.NoClassDefFoundError: 
com/sap/mw/¡co/JCO$Exception 


The jco.jar or sapjoc.jar file is not in the location specified in the 
jcotest script file or the case specified for jco.jar or sapjco.jar 
does not match the actual filename. 


Exception while initializing JCO client. 
java.lang.UnsatisfiedLinkError: no ¡RFC12 in java.library.path 


Verify proper installation of JCO Native support libraries 
packaged with JCO client. 


The libjRFC12.so shipped with the JCO client is not installed or 
is installed in an incorrect location. You must configure a 
LD_LIBRARY_PATH environment variable to specify the 
location in which the file resides. 


Exception while initializing JCO client. 


java.lang.UnsatisfiedLinkError: <path>/libjRFC12.so: Id.so.1: 
<search-path>: fatal: libríccm.so: open failed: No such file or 
directory 


Verify proper installation of JCO Native support libraries 
packaged with JCO client. 


Errors on HP-UX Systems 


Error Message 
ksh: userjcotest: not found. 
or 


bash: userjcotest: command not found 


The librfccm.so file shipped with the JCO client is not installed 
or installed in incorrect location. You must copy the file to the 
same location as libjRFC12.so or configure the 
LD_LIBRARY_PATH environment variable to specify the 
location in which the file resides. 


Problem 


The userjcotest script file is not present in the directory. 


Exception in thread “main” java.lang.NoClassDefFoundError: 
com/sap/mw/jco/JCO$AbapException 


or 


Exception in thread “main” java.lang.NoClassDefFoundError: 
com/sap/mw/¡co/JCO$Exception 


The jco.jar or sapjco.jar file is not in the location specified in the 
jcotest script file or the case specified for jco.jar or sapjco.jar 
does not match the actual filename. 


Exception while initializing JCO client. 


java.lang.ExceptionInInitializerError: JCO.classInitialize(): 
Could not load middleware layer 
‘com.sap.mw.jco.rfc.MiddlewareRFC 


no sapjcorfc in java.library.path 


Verify proper installation of JCO Native support libraries 
packaged with JCO client. 


36 


The libjRFC12.sl file shipped with the JCO client is not installed 
or is installed in an incorrect location. You must configure a 
SHLIB_PATH environment variable to specify the location in 
which the file resides. 
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Error Message 
Exception while initializing JCO client. 


java.lang.ExceptionInInitializerError: JCO.classlnitialize(): 
Could not load middleware layer 
‘com.sap.mw.jco.rfc.MiddlewareRFC .. . 


Verify proper installation of JCO Native support libraries 
packaged with JCO client. 


Errors on Linux Systems 


Error Message 
ksh: userjcotest: not found. 
or 


bash: jcotest: command not found 


Problem 


The librfccm.sl file shipped with the JCO client is not installed 
or is installed in an incorrect location. You must copy the file to 
the same location as libjRFC12.sl or configure the 
SHLIB_PATH environment variable to specify the location in 
which the file resides. 


Problem 


The userjcotest script file is not present in the directory. 


Exception in thread “main” java.lang.NoClassDefFoundError: 
com/sap/mw/jco/JCO$AbapException 


or 


Exception in thread “main” java.lang.NoClassDefFoundError: 
com/sap/mw/jco/JCO$Exception 


The jco.jar or sapjco.jar file is not in the location specified in the 
jcotest script file or the case specified for jco.jar or sapjco.jar 
does not match the actual filename. 


Exception while initializing JCO client. 


java.lang.ExceptionInInitializerError: JCO.classinitialize(): 
Could not load middleware layer 
‘com.sap.mw.jco.rfc.MiddlewareRFC 


no ¡RFC12 in java.library.path 


Verify proper installation of JCO Native support libraries 
packaged with JCO client. 


The libjRFC12.so file shipped with the JCO client is not 
installed or is installed in an incorrect location. You must 
configure a LD_LIBRARY_PATH environment variable to 
specify the location in which the file resides 


Exception while initializing JCO client. 


java.lang.ExceptionInInitializerError: JCO.classInitialize(): 
Could not load middleware layer 
‘com.sap.mw.jco.rfc.MiddlewareRFC 


<path>/libjRFC12.so: librfecm.so: cannot open shared object 
file: No such file or directory 


Verify proper installation of JCO Native support libraries 
packaged with JCO client. 


The librfccm.so file shipped with the JCO client is not installed 
or is installed in an incorrect location. You must copy the file to 
the same location as libjRFC12.so or configure the 
LD_LIBRARY_PATH environment variable to specify the 
location in which the file resides. 
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Understanding the Default Driver Configuration 


This section explains how the default driver configuration uses policies and filters. You can use 
this overview as a basis to create your own policies and filters for specific business 
implementations. 


Using Policies 


Policies are highly configurable for use within any business environment. Although each business 
is different, the default driver configuration assumes the existence of the SAP-Users Organization 
in its Novell® eDirectory™ tree. 


The default driver is also configured to be primarily a Subscriber channel driver. This means the 
primary purpose is to create SAP User accounts using information collected in eDirectory. 


Modifying Policies and Filters 


You must modify policies and filters to work with your specific business environment. We 
recommend that you make modifications in this order: 


+ Modify the Publisher and Subscriber channel filters to include additional attributes to be 
synchronized. 


+ Modify the Mapping policy to include all attributes specified in the Subscriber and Publisher 
channel filters. 


+ Modify the InputTransform policy 

+ Modify the OutputTransform policy 

+ Modify the Publisher Placement policy 

+ Modify the Publisher Matching policy 

+ Modify the Publisher Create policy 

+ Modify the Publisher Command Transform policy 


+ Modify the Subscriber Matching policy 


The Publisher Channel Filter 


The Publisher Channel filter contains the set of classes and attributes whose updates publish from 
the SAP system to eDirectory. 


NOTE: To use the default driver configuration, you shouldn't filter out any of the CommExec, Organizational 
Role, or Organizational Unit attributes. Also, do not remove the following attributes from the User class object: 
Given Name, Surname, and workforcelD. 


The following table includes some examples of classes and attributes found on the Publisher 
Channel filter: 
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Classes Attributes 

User Login Disabled 
sapProfiles 
sapRoles 


sapUsername 


The Subscriber Channel Filter 


The Subscriber Channel filter contains the set of classes and attributes that the SAP system 
receives from eDirectory. You modify the Subscriber Channel filter by adding all the attributes to 
the filter that you want synchronized. 


NOTE: Do not remove the workforcelD attribute from the Subscriber Channel filter. It is the attribute the driver 


uses to locate and modify users. 


The default driver configuration allows the following User class attributes on the Subscriber 


Channel filter: 


birthName 
buildingName 
commType 
company 


costCenter 


Facsimile Telephone Number 


firstPrefix 

floor 

Full Name 
Given Name 
inHouseMail 
Initials 
initialsSlg 
Internet Email Address 
Login Disabled 
middleName 
mobile 


nickname 


The Schema Mapping Policy 
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OU 

pager 
roomNumber 
sapAlias 

sapCATT 
sapClass 
sapCompanyKey 
sapDateFormat 
sapDecimalFormat 
sapGroups 
sapLanguage 
sapLoginLanguage 
sapParameters 
sapPrintParam1 
sapPrintParam2 
sapPrintParam3 
sapProfiles 


sapRefUser 


sapRoles 
sapSncGuiFlag 
sapSncName 
sapSpool 
sapStartMenu 
sap TimeZone 
sapUsername 
sapUserType 
sapValidFrom 
sapValidTo 
secondName 
secondPrefix 
Surname 
Telephone Number 
telexNumber 
Title 
titleAcademic1 


titleAcademic2 


The Schema Mapping policy is referenced by the driver object and applies to both the Subscriber 
and Publisher channel. The purpose of the Schema Mapping policy is to map schema names 
(particularly attribute names and class names) between eDirectory and the SAP User database. 
Any modification or removal of existing entries in the Schema Mapping policy could destroy the 
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default configuration and policies processing behavior. Adding new attribute mappings is 
discretionary. The following attribute mappings are included with the default driver configuration: 


eDirectory Class SAP Class SAP Description 


User US USER 


The User class is configured to synchronize bidirectionally between SAP and eDirectory. A 
change made in one system will transfer to the other system. 


All attributes in the Publisher and Subscriber filters should be mapped unless they are used only 
for policy processing. 


SAP User field values can be arranged in three types: 


1. Simple fields: These values are not grouped with other fields. The syntax in the schema map 
is <field name>. 


2. Structure fields: These values are grouped with other pieces of data that describe a larger 
collection of single-instance data. The syntax for these fields in the schema map is <structure 
name>:<field name>. For example, ADDRESS:TELEPHONE. 


3. Table fields: These values are similar to Structure fields, but there can be multiple instances 
of the structured data. The syntax for these fields in the schema map is <table name>:<field 
name>. For example, ADDTEL: TELEPHONE. 


The following table includes common attribute mappings for the User class and their descriptions, 
assuming that only the primary piece of structure communication data is required (such as 
ADD:TELEPHONE). If all fields of a structure are to be mapped, you should specify only the 
Structure or Table name in the mapping (such as ADDTEL). If you do this, the driver assumes 
synchronization of the primary data field (in this instance, TELEPHONE) on the Subscriber 
channel, and will synchronize all data fields with a semicolon (**;”) delimiter on the Publisher 
channel. 


The Schema Mapping policy is highly dependent on the extension of the standard eDirectory 
schema. The extensions used by the driver come in the form of an LDIF file created by SAP for 
use with the SAP directory interfaces for user management. This file is included with the driver. 
Refer to “Extending the Schema” on page 19 for more information. 


The default mappings for the driver are as follows: 


eDirectory Attribute SAP User Field Description SAP User Field 

birthName Name of person at birth ADDRESS:BIRTH_NAME 

buildingName Building (number or code) ADDRESS:BUILDING_P 

commType Communication type (key) ADDRESS:COMM_TYPE 
(Central address management) 

company Company address, cross- COMPANY:COMPANY 
system key 

costCenter Cost center DEFAULTS:KOSTL 

Facsimile Telephone Fax number: dialing ADDFAX:FAX 

Number code+number 
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eDirectory Attribute 


SAP User Field Description 


SAP User Field 


firstPrefix Name prefix ADDRESS:PREFIX1 

floor Floor in building ADDRESS:FLOOR_P 
Full Name Complete personal name ADDRESS:FULLNAME 
Given Name First name ADDRESS:FIRSTNAME 
inHouseMail Int. mail postal code ADDRESS:INHOUSE_ML 
Initials Middle Initial or personal initials ADDRESS:INITIALS 
InitialsSig Short name for correspondence ADDRESS:INITS_SIG 


Internet EMail Address Internet mail (SMTP) address ADDSMPT:E_MAIL 


Login Disabled 


Lock User account 


LOCKUSER 1 


middleName Middle name or second ADDRESS:MIDDLEWARE 
forename of a person 

nickname Nickname or name used ADDRESS:NICKNAME 

OU Department ADDRESS:DEPARTMENT 

pager Pager number ADDPAG:PAGER 

roomNumber Room or apartment number ADDRESS:ROOM_NO_P 

sapAlias Internet user alias ALIAS:USERALIAS 

sapCATT CATT: Test status DEFAULTS:CATTKENNZ 

sapClass User group in user master LOGONDATA:CLASS 
maintenance 

sapCompanyKey Company address, cross- COMPANY:COMPANY 
system key 

sapDateFormat Date format DEFAULTS:DATFM 


sapDecimalFormat 


Decimal Notation 


DEFAULTS:DCPFM 


sapGroups User group in user master GROUPS:USERGROUP 
maintenance 

sapLanguage Language key ADDRESS:LANGU_P 

sapLoginLanguage Language DEFAULTS:LANGU 

sapParameters Get/Set parameter ID and PARAMETER 
parameter values 

sapPrintParam1 Print parameter 1 DEFAULTS:SPLG 

sapPrintParam2 Print parameter 2 DEFAULTS:SPDB 

sapPrintParam3 Print parameter 3 DEFAULTS:SPDA 

sapProfiles Profile name PROFILES:BAPIPROF 
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eDirectory Attribute 


SAP User Field Description 


SAP User Field 


sapRefUser User name in user master record REF_USER:REF_USER 
sapRoles Role Name ACTIVITYGROUPS:AGR_NAME 
sapSpool Spool: Output device DEFAULTS:SPLD 
sapStartMenu Start Menu DEFAULTS:START_MENU 

sap TimeZone Time zone LOGONDATA:TZONE 
sapUsername User Name USERNAME:BAPIBNAME 
sapUserType User Type LOGONDATA:USTYP 
sapValidFrom User valid from LOGONDATA:GLTGV 
sapValidTo User valid to LOGONDATA:GLTGB 
secondName Second surname of a person LOGONDATA: SECONDNAME 
secondPrefix Name prefix ADDRESS:PREFIX2 

Surname Last name ADDRESS:LASTNAME 


Telephone Number 


Telephone no.: dialing 
code+number 


ADDTEL:TELEPHONE 


telexNumber 


Telex Number 


ADDTLX:TELEX_NO 


Title 


Function 


ADDRESS:FUNCTION 


titleAcademic1 


Academic title: written form 


ADDRESS:TITLE_ACA1 


titleAcademic2 


1 The LOCKUSER attribute does not actually exist in SAP. This pseudo-attribute is used by the 


Academic title: written form 


ADDRESS:TITLE_ACA2 


driver to determine when to call USER_ LOCK and USER_UNLOCK BAPI functions. 


The Input Transform Policy 


You modify the Input Transform policy to implement your specific business rules. The Input 


Transform policy is applied to affect a transformation of the data received from the driver shim. 


The policy is applied as the first step of processing an XML document received from the driver 
shim. The Input Transform policy converts the syntax of the SAP attributes into the syntax for 
eDirectory. 


The default driver configuration include a single template that completes the following action: 


+ After successful creation of a User object in SAP, the sapUsername attribute with the new 
username is written back into the associated eDirectory User object. 


Modifying the Output Transform Policy 


You modify the Output Transform policy to implement your specific business rules. The Output 
Transformation policy is referenced by the driver object and applies to both the Subscriber channel 
and to the Publisher channel. The purpose of the Output Transformation policy is to perform any 
final transformation necessary on XML documents sent to the driver by Identity Manager and 
returned to the driver by Identity Manager. 
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The default driver configuration includes templates that complete the following actions: 


+ Decoding the base-64 octet string syntax of the eDirectory telexNumber attribute value into a 
Java String format using the driver’s configured Character Set encoding parameter. 


¢ Transforming the pseudo-attribute LOCKUSER value from a true/false format to a 1/0 
format. 


¢ Transforming the structured format of the eDirectory Facsimile Telephone Number attribute 
into the String format used in the ADDFAX:FAX table field. 


The Publisher Placement Policy 


The Publisher Placement policy is applied to an Add Object event document to determine the 
placement of the new object in the hierarchical structure of eDirectory. 


The Placement policy places all User objects in an eDirectory container that you specify during 
installation. 


The Publisher Matching Policy 


The Publisher Matching policy is applied to a Modify Object event document. Matching policies 
establish links between an existing entry in eDirectory and an existing entry in the SAP system. 
The Matching policy attempts to find an existing object that matches the object generating the 
event by the criteria specified in the policy. 


The default driver checks for matches based on the Given Name and Surname attributes. 


The Publisher Create Policy 


The Publisher Create policy is applied when a new object is to be added to eDirectory. The default 
driver configuration has Create policies for the following: 


+ Creating a User object (Surname and Given Name attributes are required) 
+ Generating an object name (CN) based on Given Name and Surname attributes 


¢ Setting the initial password to the value of a user’s Surname. 


The Subscriber Matching Policy 


The Subscriber Matching policy is applied to a Modify Object event document. Matching policies 
establish links between an existing entry in eDirectory and an existing entry in the SAP system. 
The Matching policy attempts to find an existing object that matches the object generating the 
event by the criteria specified in the policy. 


The default driver checks for matches based on the values of the Given Name and Surname 
attributes. (The proper schema names for SAP are mapped prior to submission to the driver.) 
The Subscriber Create Policy 


The Subscriber Create policy is applied when you want to add a new object to eDirectory. The 
default driver configuration has Create policies for the following: 


+ Generating an object name (sapUsername) based on the Given name and Surname attributes. 
¢ Setting the initial password to the value PASSWORD. 
+ Setting a default sapRoles value of SAP_ESSUSER. 
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Obtaining Company Address Data for User Objects 


There are several attributes of the SAP User object that are associated with the Company Address 
object assigned to the User. These attributes, by default, are never populated in BAPI or IDoc 
distributions of User data from the SAP application server. These fields also cannot be read from 
the User object in SAP. Company Address data is maintained in a table of related records of the 
ADDRESSORG type. The driver can retrieve this data from the ADDRESSORG table if desired. 


The driver parameter to publish Company Address data <nsap-use-addressorg> is set to 1 by 
default. Setting the value to 1 retrieves the data from the ADDRESSORG table if attributes in the 
table exist in the Publisher filter, or if the attributes are in <read-attr> elements of a query 
document. Although this data can be retrieved from the SAP system, ADDRESSORG data cannot 
be added, modified, or removed from the SAP system via the driver. If the value of this parameter 
is set to 0, the company address fields are retrieved from the User object itself. As previously 
mentioned, by default, these fields won’t contain any data. 


To fully implement the address retrieval functionality, you must configure the driver to receive 
events when the ADDRESSORG table is modified. By receiving these events, the driver obtains 
a list of all User objects assigned to the modified ADDRESSORG table and issues modify events 
with the changed data for each affected user. 


To generate ADDRESSORG modify events, you need to modify the ALE distribution model on 
the SAP application server to include the distribution of the Company Clone (CCLONE) BAPI. 

Refer to “Creating a Distribution Model” on page 26 and “Modify Port Definition” on page 28 for 
more information. 


The following User object fields might be affected by this functionality. 


NAME HOUSE_NO2 
NAME_2 STR_SUPPL1 
NAME_3 STR_SUPPL2 
NAME_4 STR_SUPPL3 
C_O_NAME BUILDING 
CITY DISTRICT 
CITY_NO FLOOR 
DISTRICT ROOM_NO 
DISTRICT_NO COUNTRY 
POSTL_COD1 COUNTRYIOS 
POSTL_COD2 LOCATION 
POSTL_COD3 LANGU_ISO 
PO_BOX REGION 
PO_BOX_CIT SORT1 
PBOXCIT_NO TIME_ZONE 
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DELIV_DIS TAXJURCODE 


TRANSPZONE STR_ABBR 
STREET HOUSE_NO 
STREET_NO 
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Troubleshooting the Driver 


This section contains potential problems and error codes you might encounter while configuring 
or using the driver. 


+ “Driver Load Errors” on page 47 
¢ “Driver Initialization Errors” on page 48 
+ “Error connecting to SAP host” on page 48 


+ “TDoc File or IDoc TRFC Documents Not Generated when a SAP User Is Created or 
Modified” on page 49 


+ “Users Created in SAP Cannot Log On to the SAP System (CUA in Use)” on page 49 
+ “The Driver Does Not Recognize IDocs in the Directory” on page 49 

+ “The Driver Does Not Authenticate to SAP” on page 50 

+ “JCO Installation and Configuration Errors” on page 50 


+ “Error When Mapping Drives to the IDoc Directory” on page 50 


Using the DSTrace Utility 


You can troubleshoot the driver using the DSTrace utility. You will want to configure the utility’s 
options by selecting Edit > Properties > DirXML Drivers. 


For each event or operation received, the driver returns an XML document containing a status 
report. If the operation or event is not successful, the status report also contains a reason, a text 
message describing the error condition. If the result is fatal, the driver shuts down. 


After you have configured the DSTrace Utility, you can monitor your system for errors. 


Driver Load Errors 


If the driver does not load, check DSTrace for the following error messages: 


java.lang.ClassNotF oundException:com.novell.nds.dirxml.driver.sapusershim.SAPDriver Shim 


This is a fatal error that occurs when sapusershim.jar is not installed properly. Ensure that the file 
is in the proper location for either a local or Remote Loader configuration. 


java.lang.ClassNotF oundException:com.novell.nds.dirxml.drivers.sapusershim.SAPDriver Shim 


This is a fatal error that occurs when the class name for the sapusershim jar is incorrect. You should 
ensure that the Java class name is set on the Driver Module tab in a local installation and that the 
-class parameter is set in a Remote Loader configuration. 


The proper class name is com.novell.nds.dirxml.driver.sapusershim.SAPDriverShim 
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Driver Initialization Errors 
You might see the following driver initialization errors in the DSTrace utility. An explanation of 
the error is given along with recommended solutions. 

com/sap/mwi/jco/JCO 


This error occurs when the SAP Java Connector jco.jar file or sapjco.jar or the JCO native support 
libraries are not present or are improperly located. 


Make sure the proper platform version of jco.jar or sapjco.jar is located in the same directory as 
sapusershim.jar. 


Also check the JCO native support libraries to make sure they are present and properly configured. 
Use the JCO installation instructions for the appropriate platform. 
no ¡RFC12 in java.library.path 


This error occurs when the SAP Java Connector (JCO) native RFC12 support library is not present 
or is located improperly. 


Make sure the JCO native support libraries are present and configured properly. Use the JCO 
installation instructions for the appropriate platform. 


lusr/jdk1.3.1/lib/sparc/libjRFC12.so:<classpath info>:fatal librfccm.so:open failed: No such file or directory 


This error occurs when the SAP Java Connector (JCO) native RFC support library librfccm.so is 
not present or is improperly located. This sample error is from a Solaris system. 


Make sure the JCO native support libraries are present and properly configured. Follow the JCO 

installation instructions for the appropriate platform. 
com.novell.nds.dirxml.engine.VRDException 

This error occurs when the SAP Java Connector (JCO) components cannot be located. 


This error generally occurs if the driver or Remote Loader has not been restarted after the JCO has 
been configured. Restart Novell® eDirectory™ if you are using a local configuration or restart the 
remote loader for a remote configuration. 


Error connecting to SAP host 


This error occurs when the SAP authentication or connection information is not configured 
properly. 


Ensure that the values for Authentication and Driver Parameters are correct for authentication to 
the SAP host system. 


nsap-pub-directory parameter is not a directory 


This error occurs when the Publisher IDoc Directory parameter in the Publisher Settings of the 
Driver Parameters does not specify a valid file system location. 


Ensure that this parameter specifies the directory on the SAP system configured in the SAP ALE 
subsystem for IDoc file output. 
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No connection to remote loader 
This error occurs when the Remote Loader connection parameter information is incorrect. 
Configure the proper connection information for the remote connection to the system where the 
Remote Loader is running. 

Authentication handshake failed, Remote Loader message: “Invalid loader password.” 


This error occurs when the Remote Loader password configured on the remote system does not 
match the Remote Loader password on the Driver object. 


Set matching passwords for both remote loaders. In ConsoleOne® or iManager, ensure that both 


the application password and Remote Loader passwords are set at the same time. 


Authentication handshake failed: Received invalid driver object password 


This error occurs when the driver password configured on the remote system does not match the 
Driver object password on the Driver object. 


To correct this, you should set both Driver object passwords identically. 


IDoc File or IDoc TRFC Documents Not Generated when a SAP User Is Created or 
Modified 


You should ensure that the ALE and CUA processes are configured properly, and that you have 
correctly entered the data. 


User data is distributed to the driver only if CUA has been properly configured and if the logical 
system representing the driver has been selected for distribution under the Systems tab in the SAP 
User Maintenance dialog box. 


Users Created in SAP Cannot Log On to the SAP System (CUA in Use) 


When creating users in the CUA central system, you must manually associate User objects with 
the client systems to which they authenticate. You do this by editing the User object from the SAP 
User Maintenance dialog box, then adding an appropriate client logical system under the Systems 
tab. This problem should not occur when creating users in non-central CUA systems. 


The Driver Does Not Recognize IDocs in the Directory 


You should first test the ALE and CUA interface. Refer to your SAP documentation for more 
information. 


If the IDoc interface fails: 


¢ Using transaction WE21, ensure that the file port is configured properly. You should validate 
the path to the directory and make sure the Transfer IDoc Immediately radio button is selected. 


¢ Using transaction WE20, ensure that the appropriate file port is selected in the Partner Profile. 
Also, verify that it is on the outbound parameters of the receiving system. 


If the IDoc interface succeeds: 
+ Ensure that the correct distribution model has been selected using transaction SCUA. 


+ Ensure that the proper User field data distribution is configured using transaction SCUM. 
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IDocs Are Not Written to the Driver (TRFC Port Configuration) 


You should first test the ALE and CUA interface. Refer to your SAP documentation for more 
information. 


If the IDoc distribution succeeds but data is not received: 
+ Verify that the driver is configured to receive data from the correct SAP Gateway. 
¢ Verify that the driver Program ID is unique. 


¢ Using transaction WE21, verify that the SAP port configuration is configured to distribute to 
the logical system representing the driver. 


If the IDoc interface succeeds: 
+ Ensure that the correct distribution model has been selected using transaction SCUA. 


+ Ensure that the proper User field data distribution is configured using transaction SCUM. 


The Driver Does Not Authenticate to SAP 


You should first ensure that you have configured all of the driver parameters and that the proper 
passwords have been entered. If the SAP system is the central system of a CUA configuration, 
make sure the User object used for authentication is properly associated with the client logical 
system. See “Users Created in SAP Cannot Log On to the SAP System (CUA in Use)” on page 49. 


If you are running the driver remotely, make sure that the Remote Loader has been started before 
you start the driver. 


JCO Installation and Configuration Errors 


For detailed instructions on using the JCO Test utility and analyzing error messages, refer to 
“Using the SAP Java Connector Test Utility” on page 31. 


Error When Mapping Drives to the IDoc Directory 


You might see the following error in DSTrace if the IDoc directory parameter specifies an invalid 
local file system container or if it specifies a mapped drive on a remote system. 


*** NDS Trace Utility - BEGIN Logging *** Fri Sep 13 15:45:59 2002 


DirXML Log Event 
Driver = \FLIBBLE_TREE\n\Driver Set\SAP-UM 
Channel = publisher 
Status = fatal 
Message = 


<description>SAP Document Poller initialization failed: 
com.novell.nds.dirxml.driver.sapusershim.SAPDocumentPollerInitFailure: Specified Publisher 
IDoc Directory is invalid.</description> 


*** NDS Trace Utility - END Logging *** Fri Sep 13 15:46:31 2002 


This error occurs because the Windows operating system service controls the rights of the local 
system, not the rights of a user. Thus, the local Windows system does not have rights to access any 
file resources outside of its own system, including the IDoc directory. 
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Example XML Document Received from the 
Driver 


The following example is a typical XML document received from the default configuration of the 
driver. 


<nds dtdversion="1.0” ndsversion="8.5”> 
<source> 
<product build="20030509_1030" instance="SAP-USER-REMOTE-46C" version="1.0">DirXML 
Driver for User Management of SAP Software</product><contact>Novell, Inc.</contact> 
</source> 
<input xmlns:sapshim="http://www.novell.com/dirxml/drivers/sapusershim"> 
<modify class-name="US" event-id="0_001_0000000000216097" src-dn="SSAMPLE" 
timestamp="20030509"> 
<association>JWriter</association> 
<modify-attr attr-name="PROFILES:BAPIPROF"> 
<remove-all-values/> 
</modify-attr> 
<modify-attr attr-name="USERNAME : BAPIBNAME"> 
<remove-all-values/> 
</modify-attr> 
<modify-attr attr-name="ACTIVITYGROUPS:AGR_NAME"> 
<remove-all-values/> 
</modify-attr> 
<modify-attr attr-name="PROFILES:BAPIPROF"> 
<add-value> 
<value>SAP_ALL</value> 
<value>SAP_NEW</value> 
</add-value> 
</modify-attr> 
<modify-attr attr-name="USERNAME : BAPIBNAME"> 
<add-value> 
<value>JWriter</value> 
</add-value> 
</modify-attr> 
<modify-attr attr-name="ACTIVITYGROUPS:AGR_NAME"> 
<add-value> 
<value>SAP_EMPLOYEE</value> 
</add-value> 
</modify-attr> 
</modify> 
</input> 
</nds> 


Some characteristics to note: 


+ All XML documents received from the SAP system are translated into <modify> documents. 
This translation occurs because it is not possible to determine whether the object described by 
the document has been modified or is new. Additional modification or translation of the 
document is accomplished through policies and the DirXML? engine. 
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The <modify> element contains the classname of the object described in the SAP namespace 
(that is, US=User). The event-id attribute contains the IDoc number from which the data is 
derived. The src-dn attribute contains the SAP Object name value. The timestamp attribute 
contains the date that the [Doc was processed by the driver. 


The <association> element data always contains the SAP Object ID. 


The <modify-attr> element contains the attr-name described in SAP format (Structure or 
Table name:Attribute Name). 


Because multivalued attributes cannot be consistently mapped across systems, the <remove- 
all-values> element is used prior to all <add-value> tags. This instructs the DirXML engine 
to remove all existing values for the attribute prior to assigning the new values. If this 
functionality is not desired, one of the policies may be used to modify the document. 


The <value> element contains a timestamp attribute with the BEGIN VALIDITY-END 
VALIDITY time stamp of the attribute’s data segment (for example, Segment P001 data has 
a time stamp of 20011018-99991231). This means the data became valid on October 18, 2001 
and remains valid to the SAP maximum date. All data segments might have different and or 
future-dated validity time stamps. 


All values are in a string format. 
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Configuration and Deployment Notes 


The following information can be valuable when modifying the driver configuration or when 
trying to understand SAP system behavior. Many of these notes relate to data value restrictions on 
the User record. You should investigate the system configuration thoroughly, because some values 
might have been modified or extended by the SAP administrator. 


SAP Object Types 


The following SAP object types of interest might be referenced in <query> operations to SAP. 


USER Object Type: US 
Activity Groups Object Type: AG 
Standard Roles Object Type: AC 
Company Object Type: U 

User Groups Object Type: UG 


User Types: LOGONDATA:USTYP 


+ A -Dialog 

+ C- Communication (CPIC) 
+ D- System (BDC) 

+ S - Service 


+ L - Reference 


Output Controller Options 


G - Output immediately DEFAULTS: SPDB 
H - Don’t output immediately DEFAULTS: SPDB 
D - Delete after output DEFAULTS: SPDA 
K - Don't delete after output DEFAULTS: SPDA 
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Communication Types: ADDCOMREM:COMM TYPE 


+ INT - EMail Address type (SMTP) 
+ LET - Letter (Standard Post) 

+ PAG - Pager 

+ FAX - Facsimile 

+ PRT - Printer 

+ RML - Remote Mail 

+ TEL - Telephone 

+ TLX - Telex 

+ TTX - Teletex 


+ SSF - Secure Store and Forward 


Date Formats: DEFAULTS:DATAFM 


1. DD.MM. YYYY 
2. MM/DD/YYYY 
3. MM-DD-YYYY 
4. YYYY.MM.DD 
5. YYYY/MM/DD 
6. YYYY-MM-DD 


Decimal Formats: DEFAULTS:DCPFM 


“X” - The decimal divider is a dot, and the thousands divider is a comma (NN,NNN.NN) 
“Y” - The decimal divider is a comma, and the thousands divider is a blank (NNN NNN,NN) 


““~ The decimal divider is a comma, and the thousands divider is a dot (NN.NNN,NN) 


Computer Aided Test (CATT): DEFAULTS:CATTKENNZ 


“X” - CATT: Test status set 
““_ CATT: Test status not set 


“” - CATT: CATT status set 
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Communication Comment Type to Table Mappings 


Table: ADDTEL Comment Type: TEL Key Field: TELEPHONE 
Table: ADDFAX Comment Type: FAX Key Field: FAX 

Table: ADDPAG Comment Type: PAG Key Field: PAGER 
Table: ADDSMTP Comment Type: INT Key Field: E_MAIL 
Table: ADDTTX Comment Type: TTX Key Field: TELETEX 
Table: ADDPRT Comment Type: PRT Key Field: PRINT_DEST 
Table: ADDTLX Comment Type: TLX Key Field: TELEX_NO 
Table: ADDRML Comment Type: RML Key Field: R_MAIL 
Table: ADDURI Comment Type: URI Key Field: URI 


Language Codes 


Language Two-Letter Code One-Letter Code 
Afrikaans AF a 
Arabic AR A 
Bulgarian BG W 
Czech CS C 
Danish DA K 
German DE D 
Greek EL G 
English EN E 
Spanish ES S 
Estonian ET 9 
Finnish FI U 
French FR F 
Hebrew HE B 
Croatian HR 6 
Hungarian HU H 
Indonesian ID i 
Italian IT l 
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Language Two-Letter Code One-Letter Code 


Japanese JA J 
Korean KO 3 
Lithuanian LT X 
Latvian LV Y 
Malaysian MS 7 
Dutch NL N 
Norwegian NO O 
Polish PL E 
Portuguese PT P 
Romanian RO 4 
Russian RU R 
Slovak SK Q 
Slovene SL 5 
Serbian SR O (zero) 
Swedish SV V 
Thai TH 2 
Turkish TR T 
Ukrainian UK 8 
Customer Reserve Z1 Z 
Chinese Traditional ZF M 
Chinese ZH 1 


Configuration Parameters 


Comment text for configuration parameters is limited to a maximum length of 50 bytes. 


Design Comments and Notes 


When specifying either USER or COMPANY names in BAPI calls, the name field must be in all- 
caps format, even if the naming field is not specified as such. 


In BAPI_USER_CHANGE (ADDRESS table) 


+ The COMM-TYPE attribute in SAP has defined, acceptable values. Invalid input generates 
an exception and an error message stating, “The communication type <commType> is not 
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defined.” Valid fields are the abbreviations for the supported communication types on the 
SAP Host. 


¢ The TITLE ACA1 and TITLE_ACA2 attributes have predefined, acceptable values. Invalid 
input results in the value in SAP being set to a null string (*””). 


+ The PREFIXI and PREFIX2 attributes have predefined, acceptable values. Invalid input 
results in the value in SAP being set to a null string (*”). 


+ The TEL1_NUMBR is linked to the primary, or Standard, Telephone number in the 
Telephone communication table. 
In BAPI_USER_CHANGE (ADDFAX table) 
+ The Facsimile Telephone Number attribute in eDirectory is a structured attribute. An output 
transformation converts it to a single attribute format. 
In BAPI_USER_CHANGE (ADDTEL table) 


+ Must have a CONSNUMBER (either the number of the one you wish to change or a new, non- 
000 number. 


+ The STD_NO field must be set to X if you are synchronizing a single field or if the number 
is the only number present. 


+ The primary data field is TELEPHONE. Phone numbers are always mapped to 
ADDTELEPHONE if no field is specified in the attribute mapping. 
In BAPI_USER_CHANGE (ADDTLX table) 


+ By default, this table is mapped to the Organizational Person; telexNumber attribute. This 
syntax is OCTET_STRING, which is encoded by Identity Manager into Base64 string 
encoding. A Java function is provided in the driver sapusershim.jar file that can decode this 
into the proper String format in the Output Transformation prior to submission to SAP. If you 
are using the driver on a remote system, place the driver shim in the same file system container 
with the DirXML library in the Input Transformation for the Publisher channel. 


+ The primary data field is TELEX_NO. 
+ Other rules apply as described for the ADDTEL table. 


In BAPI_USER_CHANGE (ADDFAX table) 


+ There is only one field in this table, USERGROUP. This is the primary field if it is not 
specified in the mapping. 


+ The primary data field is FAX. 
+ Other rules apply as described for the ADDTEL table. 


In BAPI_LUSER_CHANGE (GROUPS table) 
+ There is only one field in this table, USERGROUP. This is the primary field if it is not 
specified in the mapping. 
In BAPI_USER_CHANGE (ALIAS structure) 


¢ There is only one field in this table, USERALIAS. This is the primary field if it is not 
specified in the mapping. 


+ The BAPIALIAS field of the ALIASX structure must be set to X if any modification is done 
to the ALIAS structure. 
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+ 


The SAP system guarantees that Alias names are unique among all users. If an alias value is 
already assigned to another user, the modification fails. 


In BAPI_USER_CHANGE (REF_USER structure) 


+ 


+ 


There is only one field in this table, REF_USER. This is the primary field if it is not specified 
in the mapping. 


The value specified as REF_USER must be an existing User object on the SAP client, and the 
Reference User's type flag must be set to Reference (User Type L) 


In BAPI_USER_CHANGE (DEFAULTS structure) 


+ 


The SPDB field can only be populated with a G (GO or Output Immediately) or an H (Hold 
output) or a null string *”, which sets the value to H. All other values generate an error 
message. This field is case sensitive. 


The SPDA field can only be populated with a D (Delete after print) or a K (Keep) or a null 
string “”, which sets the value to K. All other values generate an error message. This field is 
case sensitive. 


The KOSTL (Cost center) field is automatically truncated to 8 bytes by the SAP system. 


The SPLG field does not appear to be utilized at all. Any value is accepted but does not relate 
to any attribute shown in the SAP GUI. 


The START MENU field can be set to any value up to 30 characters whether or not a valid 
menu exists for the value being set. 


The SPLD (Output Controller) field accepts only a null string value (*””) or a valid output 
device that is available via the SAP GUI drop-down list for this field. Invalid selections return 
an error. 


The LANGU field must be set to one of the one-letter language codes defined in “Language 
Codes” on page 55 or to a null string (**”). The null string defaults to the language of the SAP 
system default language. This field is case sensitive. Non-defined fields result in an error. 


In BAPI_USER_CHANGE (LOGONDATA structure) 


+ 


The USTYP field only accepts the valid User Types defined in “User Types: 
LOGONDATA:USTYP” on page 53 or a null string (**”). Other input generates an exception 
and error message stating, “Invalid user type<type>”. 


The TZONE field accepts only valid, selectable fields from the SAP GUI drop-down list. 
Invalid input generates an exception and an error message stating, “Invalid time zone.” The 
Time Zone setting is displayed under the Defaults tab in the SAP client Display User dialog 
box. 


The CLASS field represents the User's User Group for Authorization Check setting. Only 
fields that are selectable from the SAP GUI dropdown list are accepted. Invalid input 
generates an exception and error message stating, “User group <class> does not exist.” 


The GLTGV (Validity Begin Date) and GLTGB (Validity End Date) values exist as a set of 
data. 


If the Begin Date is set alone, the BAPI must also set an imitation, higher value End Data 
(GLTGB), but the LOGONDATAX structure should not be checked for GLTGB. 


The Begin Date must always be less than the End date. 


Invalid date input generates an exception and an error message stating, “Invalid time interval: 
Begin date after end date.” 
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In BAPI_USER_CHANGE (GROUPS table) 


+ Only valid groups that exist in the SAP User Groups table can be added to a user. Invalid input 
generates an exception and an error message stating, “User group<name> does not exist.” 


In BAPI_USER_CHANGE (ADDCOMREM table) 
+ The LANGU and LANGU_ISO fields are set with the driver's language parameter value. 


+ The CONSNUMBER field must match the associated communication data elements' 
CONSNUMBER field. 
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